Next time I will try the method from this blog post. And maybe become a better hacker.
Presentation here: https://www.fleark.de/keyfob.pdf
Something I've always wondered about is, how do learning remotes defeat this?
My car has a couple of built-in garage door buttons, and I'm pretty sure I programmed it by just hitting the remote button in the garage while the car was in a learning mode. Is that a much more sophisticated feature than you would assume (e.g. decoding the signal, recognizing the type, then initiating a pairing with the opener, instead of just replaying the signal)?
I linked this in a sub comment, but the largest garage door maker in the US is Chamberlain [0] (which owns a ton of other brands) and uses known rolling code algorithms that can be decoded. [1]
[0] https://www.chamberlain.com/ [1] https://github.com/argilo/secplus
My understanding is that the earlier rolling code systems are easily defeated and I think this can be done (possibly with stock firmware) using a Flipper Zero.
Prior to that, garage doors had a set of DIP switches (16, or 32, I can't remember). You matched the switch configuration on your opener with the switch configuration on the controller. And as you might imagine, in a typical suburban area about 80% of the garage doors are set to all zeros.
Because the range of the devices was "lucky if you can open the door from the bottom of your driveway", most people didn't notice this. Of course that meant you could open a large number of garage doors by sending the "0" signal for each manufacturer with enough wattage.
Compatible models are made by reverse engineering each individual model's rolling code implementation (in the early days) and making an accessory that had the necessary seed value or other component to allow it to be "paired" with a compatible door head unit. Considering it wasn't uncommon for the higher-end models to charge $150 for an accessory remote, manufacturers had a bit of incentive to roll their own slightly incompatible implementations.
This is from memory and minimal memory at that, but -- late 90s or early 00s, I think, "HomeLink" was created, which basically allowed car manufacturers to integrate a door opener into the car. If you bought a higher-end model, your visor might have the buttons in it. I believe licensing allowed third-parties to easily create fully compatible accessories at that point (pay a fee, get the patent license/datasheets sort of arrangement).
[0] Genie thinks they were first in 1995 but I seem to recall we had a rolling code door installed as early as 1993.
A learning remote for such a system could work by simply replaying whatever it heard when it recorded during learning. So if you press the "learn" button, press the button on your current remote, and then do whatever tells the learning remote you are done it could save everything its radio picked up during that few seconds, and then play that back whenever you press the open/close button.
You probably wouldn't want to take that bare bones approach though. The recording might include other things. Suppose while you are setting it up someone happens to come to your house and press the button on your wireless doorbell, which just happens to operate in the same band as your garage opener. That gets picked up and is part of your recording.
You don't notice this when you test the recording afterwards because you are in the garage and can't hear the doorbell, but your spouse inside is getting spurious doorbell dings. It might take a while for someone to realize that your plague of spurious doorbell rings is connected to the garage door.
You'd want to at least look at the recorded signal and crop it down to just the part with the actual door signal. If the signal has both a door signal and something else like the aforementioned wireless doorbell the new remote might pick the wrong one, but in that case you'll know right away and can try again.
Better would be if the new remote could actually decode the signal to get the code, and then generated a new signal with that code every time. The record and replay method, even if cropped down to the right signal, might have recorded a weak or noisy signal which might be hard for the header for end to handle. By figuring out the code and generating a clean strong signal every time you'll get better performance.
That approach does require understanding the details of the code systems of each manufacturer whose remotes you want to be able to clone.
Nearly every home garage door opener company in the US switched to rolling codes for their new models during the '90s, and so if you are dealing with any system installed less than ~25ish years ago it almost certainly uses rolling codes.
These typically work like this. They have a pseudorandom sequence determined by a seed value. The seed is determined by the remote. I don't know if the seed is built in at manufacturing time or selected at random by the remote when it is first powered up or what. The remote generates the sequence and keeps track of where it is in the sequence. Each press of the open/close sends the next value.
The head end has a "learn" mode. You put it in learn mode and then press the open/close button a couple of times on the remote. The head sees those, recognizes they are in the right format for its system, and is able to figure out what seed would have had to been used for that system's sequence function to produce those two consecutive values. It adds that to a table of known remotes.
In operation when you press open/close, the head decodes the signal to get the sequence value, checks its table to see if that matches the value it expects from any of the known remotes. If it does the door operates and it updates its idea of where that remote is in its sequence.
There's some slack in there so that it will accept a sequence value several values ahead of what it last saw from a remote so if say your bored kid on a trip pressed the remote button a dozen times you won't get home and find your garage won't open.
You could make a learning remote that could clone an existing rolling code remote by following the same procedure the head follows for learning a remote. The learning remote would have to know the rolling code systems for all the systems it supports, but that would be doable.
The problem would be if you got the learning remote because you wanted an additional remote. To the head end the cloned remote is the original remote. Say you have one remote and two people, and you clone the remote this way. As long as neither of you goes too long without using their remote it would be fine. But if for some reason one of you doesn't use yours for a while the other might advance the sequence past the slack that I mentioned earlier and yours would stop working.
You'd have to re-pair it with the head end. How well that would work would depend on details of the system. If the pairing works by recovering the initial seed value, and that is used as the key for the head's table of remotes, it might cause problems because the two remotes have the same seed but are farther apart in their sequences than the slack.
(I suppose you could clone the old remote, then take the battery out of the old remote long enough for it to re-seed when you put the battery back in--assuming the seed isn't fixed at manufacturing time--and then pair it with the head).
The way every universal remote for rolling codes that I've seen works is that you don't use an existing remote to teach them. They have a way to tell them what your head end is. You do that, then you pair them with your head just like you would pair a new remote bought from the head's manufacturer.
These things don't usually have rich user interfaces. Telling it what system you have will probably mean looking up a number in a table in the manual, and then pressing some button on the remote (probably hidden in the battery compartment so it won't accidentally be hit), then pressing the button you want to program N times where N is the number you looked up in the manual.
You might need several tries because some manufacturers have changed code systems multiple times. If you don't know what year yours was made you might have to try them all. Even knowing the year might not help. Genie for example has one from 1995, one from 2005, and one that I think is from 2011, and they didn't stop using the old ones when the new ones came out.
It could be a nice feature if the universal remote could look at the signal from your existing remote to learn what rolling code system your head end uses. But it would also mean the universal remote would need a receiver, and that would be the only thing the receiver is used for so it is hard to justify. Pairing with the head and telling the head to open/close the door is strictly one way: remote to head.
My garage door opener uses a 12 but dip switch config (and my last place used an 8 dip switch config, and I'm pretty sure still does).
Re reading that OpenSesame post was fun. It reminded me of a few names I need to go find out what they're up to these days (Travis Goodspeed and Michael Ossmann are names I remember seeing doing/writing-up some really cool stuff), and that the Mattel IM-ME toy he was using uses that same CC1110 "sub gHz"
Seriously, the car fob is the largest thing in my pocket after the phone (thickness-wise at least).
It's arguable if this would have any effect on criminals who are known to follow rules (/s), but will definitely have an impact on some businesses.
A criminal record can disallow participation. One way for people who have a record to enjoy success after serving their sentence is to start and run their own business, but I guess they are screwed. <shrug-emoji></shrug-emoji>
https://wp.nastf.org/?page_id=367
https://wp.nastf.org/wp-content/uploads/2023/07/ApplicationC...
The same goes for my house. I could live in a concrete bunker with no windows and steel doors, but I would much rather live in a home with large windows and a door with a crummy deadbolt.
The risk of someone stealing my car or breaking into my house is low. If that risk increases (and thus the area's overall quality decreases), I'll move to a different location.
proper PSK cryptographic locks can (and are) implemented for cars already, just not all cars.
A obvious countermeasure for such attacks would be to have the car measure the RTT between the car and fob, exchanging some cryptographic credential. If it takes too long the fob is too far away and/or an attackers repeater is adding delay.
Stock Flipper can receive raw signal.
You might be able to get it to output raw demodulated FSK or OOK data without further processing, but I really doubt you are getting raw IQ samples from it.
A HackRF clone is cheaper than a Flipper, and way more capable in my opinion. I would bet most flippers either lie in drawers or are used by stupid teenager kiddies for trolling.
Each has their use. The Flipper is nice for quick and lightweight checking of things. LimeSDR is incredibly capable, but also a bit of a pain in the ass to use. Not something you'll flip out to quickly check something or run an experiment.
I find my FZ most useful, not for the radio stuff, but as a wireless (read: untethered) way to dump and write EEPROMs using a POMONA clip, otherwise, yes, it sits in a drawer.
Yes, but a "HackRF clone, plus a Proxmark3, plus IR, plus whatever" probably isn't.
For $400 you can get a limeSDR mini that can read and write 30MHz of spectrum at a time, ie the entire ham 70cm band all at once.
If you think a flipper is dangerous, plug in a dummy load and dump noise on L1 then watch your phones GPS stop working, or alternatively decide it's on another continent.
One thing to consider is that the payload will be encrypted so you wont be really able to tell apart what is the rolling code. Hopefully fobs have stronger encryption so collecting enough sniffs and analyzing is insufficient (looking at tesla with their 64bit encryption, hopefully they upgraded).
Honda replay myth mentioned in the article is BS, it was popularized by ppl faking a simple replay attack while doing a more complicated one. If you record the fob command and the car never receives it, of course you can immidiatly after replay it to the car and car will accept it since RC is valid. But if you're sniffing while car is receiving it, RC gets updated. If Honda didn't have RC, it would have been far worse than the KIA boys (overriding immobilizer protection and hotwiring the car) issue that did a lot of damage to KIA in US.
